Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Medicare: Vulnerabilities Related to Provider Enrollment and Ownership Disclosure

Related Content



CMS can prevent inappropriate payments, protect beneficiaries, and reduce time-consuming and expensive "pay and chase" activities by ensuring that providers that intend to engage in fraudulent or abusive activities are not allowed to enroll in Medicare. For CMS to identify potentially fraudulent providers, as well as those that may be associated with excluded individuals or entities, providers must disclose accurate and timely information about their owners (i.e., individuals or corporations with a 5 percent or more ownership or controlling interest; agents; or managing employees).


For selected providers, we compared three sets of owner names: (1) those on record with CMS for Medicare enrollment purposes, (2) those submitted by providers directly to OIG for this evaluation, and (3) those on record with State Medicaid programs for Medicaid enrollment purposes. When we compared names, if we found owner names that were not identical but were reasonably similar, we considered the names to match. Additionally, we surveyed CMS's Medicare Administrative Contractors regarding their checking of exclusions databases when they process Medicare enrollment applications.


Over three-quarters of Medicare providers in our review had owner names on record with CMS that did not match those that providers submitted to OIG. Further, nearly all providers in our review had owner names on record with CMS that did not match those on record with State Medicaid programs. The prevalence of nonmatching owner names raises concern about the completeness and accuracy of information about Medicare providers' ownership. It also demonstrates that providers may not be complying with the requirement to report ownership changes to CMS. Additionally, 2 of the 11 CMS contractors did not check all required exclusions databases, which could allow providers with excluded owners to enroll in the Medicare program. The two contractors reported that they checked only one of two exclusions databases, and this database does not always have the most current information on excluded individuals and entities. Taken together, these findings reveal vulnerabilities that could allow potentially fraudulent providers to enroll in the Medicare program and limit CMS's ability to provide adequate oversight.


We recommend that CMS (1) review providers that submitted nonmatching owner names and take appropriate action, (2) educate providers on the requirement to report changes of ownership, (3) increase coordination with State Medicaid programs on the collection and verification of provider ownership information in Medicare and Medicaid, and (4) ensure that its contractors check exclusions databases as required. CMS concurred with all of our recommendations.